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Abstract 

In this paper we construct a subclass of the composite access structure introduced in [9] based on schemes realizing the 
structure given by the set of codewords of minimal support of linear codes. This class enlarges the iterated threshold 
class studied in the same paper. Furthermore all the schemes on this paper are ideal (in fact they allow a vector space 
construction) and we arrived to give a partial answer to a conjecture stated in J9J. Finally, as a corollary we proof 
that all the monotone access structures based on all the minimal supports of a code can be realized by a vector space 
construction. 
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1. Introduction 

We will use the following notation. Let P - {Pi}" =l be a set of participants, 'K be the set of all possible keys and S 
be the share sets. Secret sharing schemes are used to distribute a secret K e 7C, like a private key of a cryptosystem, 
among a group of individuals P, giving to each participant a share from S, such that only specified subsets of P are 
able to determine the secret K from joining the shares they hold. Let F C I 9 be the family of subsets of P which 
are able to reconstructed the secret (i.e. authorized or qualified subsets) then T is called the access structure of the 
scheme. Since F is presupposed to satisfy the monotone property (that is, if A C B c p and A e T, then fief) then 
the set of minimal authorized subset of T, denoted by F m , determines a basis of F. The dual of the access structure V 
on the set P is defined as the access structure form by the subsets whose complements are not authorized, i.e. 

F* = {A c P | P \ A $ T| . 

A perfect sharing scheme avoid unauthorized coalitions to learn any information about the secret. Ito, Saito and 
Nishizeki [7] showed that for any arbitrary monotone collection of authorized set F, there exists a perfect sharing 
scheme that realizes F. Moreover, a secret sharing scheme is ideal if it is perfect and the domain of shares of each user 
is S. An access structure T is called ideal if there is an ideal scheme realizing it. An interesting class of access structure 
are those admitting a vector space construction, this structure is due to Brickell |3fl. Let F 9 be a finite field with q 
elements, an access structure F on P has a vector space construction over ¥ q if there exists a map <t> : P — > F^ 
and a vector v € \ {0} such that the vector v can be expressed as a linear combination of vectors in the set 
{€>(!P,) | Pi ■ e A) if and only if A e T. Schemes realizing this structures are called vector space secret sharing schemes. 
In sake of simplicity and without lost of generality usually v is taken to be the vector ei = (1,0). Unfortunately 
finding a rule for deciding when an access structure T admits a vector space construction is still an open problem if 
the underlying field is not fixed. The first examples of secret sharing schemes that appeared on the literature were 
examples of threshold schemes. The access structure of an (f, «)-threshold scheme is formed by subsets of participants 
whose cardinality is at least t. These schemes were introduced independently by Shamir [13] and Blakley yj] in 1979. 
Shamir's scheme used polynomial interpolation while Blakley's method is based on intersection properties of finite 
geometries, indeed both ideas where behind or related to the use of Reed-Solomon codes. Threshold schemes are 
ideal, admit a vector space construction and give the same opportunity to all the participants to access the secret. 
Indeed taking n different non-zero elements a\,...,a n e ¥ q and <t> defined by <t>(P,) = (1, or,-, af, . . . , of -1 ) e ¥ d q for 
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all i e {1, . . . , n\ then the (f, n)-threshold scheme can be seen as a vector space secret sharing schemes. From now on, 
the expression (f, n) will denote a (f, n)-threshold scheme. In real life, not all participants are in the same hierarchy and 
they do not have the same privileges to access certain secrets. This idea has been adapted to secret sharing Schemes 



by various authors. For instance, multilevel schemes by Simmons [14], bipartite structures by Padro and Saez 111 1 1 



or compartmented schemes by Brickell [3]. In this article we will used a special construction of this type of schemes 
presented in |9[] called composition of access structures. Let P — P\ U . . . U P s be a partition of P into disjoints sets 
where Pj is given by the set [Pj* , . . . , P„.) and n = ri\ + . . . + n r . Let To be an access structure on P and T,- be an 
access structure on Pi for i e {1, . . . , r), then the composite access structure of Ti, . . . ,T r following To, denoted by 
ro[Ti, . . . , F r ] is defined as follows: 

IolTi.rz, . • -,r r ] = (J {A c P I A n p t e r f for all P, e B) . (1) 

Ber 

Let us briefly fix the notation and introduce some basic definitions from coding theory. A linear code C of length n 
and dimension k over F ? , or an [n, k] code for short, is a ^-dimensional subspace of ¥" f For every codeword c e C 
its suport is define as its support as a vector in ¥ q , i.e. supp(c) = {i | c,- + 0). A codeword c is a minimal support 
codeword of C if it is non-zero and supp(c) is not contained in the support of any other codeword. We will denote by 
C m the set of codewords of minimal support of C. Note that describing the set of codewords with minimum hamming 
weight in an arbitrary linear code is an NP-problem Jlj] even if preprocessing is allowed Q]. Some improvements on 
their computation have been recently made in |@]. There are several ways to obtain a secret sharing using a linear 
code C, we refer the reader to if^L [Tol [l2Tl . It is not difficult to show that a vector space construction is equivalent to a 
code in the following sense: consider the matrix whose first column is the vector assigned to the dealer and the rest of 
columns are the vector assigned to the participants, this matrix can be seen as a parity check matrix of a code C and 
the authorized subsets are those codeword supports containing a non-zero element on the first position. 

In this paper we give a slightly different definition to the previous one. We define the access structure related to the 
[n, k] code C over P with \P\ = n, and we denote it by T c , as the set F c = [A c P | 3c € C \ (0) : A = Ufc SU pp(c) p i\- 
With this definition we study the composite access structures of the form IotFc, , Fc,, . . . , FcJ. We enlarge the well 
known class of iterated threshold structures in jsj. The main result is that this structure admits a vector space con- 
struction when To admits a vector space construction. This class of structures gives a partial answer to the conjecture 
in Jsl Open Problem 2] and they are more "natural" that the one proposed in it since the dealer appears only in one of 
the components and therefore there is no need of projecting the shares. As a corollary we obtain that Fc also admits a 
vector space construction. 



2. Composition of structures related to linear codes 

Let {C;K_j be a set of linear ¥ q codes each one of length «, and dimension kj for i - 1 , . . . , r. For each code C; we 
define the access structure related to C, over the set of participants P, = {P\ , P' 2 , . . . , P' n } as the set 

Tc, = T ; = ({J* , . . . P) s } | 3c * 0, c 6 Q such that supp(c) = {j\,..., j s }} . (2) 

That is, the family of qualified subsets is in one to one correspondence with the supports associated to the codewords 
of d and indeed IT is determined by the minimal support codewords of C,. 

Definition 1. Let Pi — [P'^Pi, . . . , P' n ] be the set of participants related to the code Cifor i — 1, . . . , r and consider 
all of them disjoint. Let Tq be an access structure over {PiY i=v we define the access struture Yq[C\, . . . , C s ] over the 
set of participants P — |_|f =1 Pi as the composite structure (see Equation\l\for a definition of composite structure) 

r [C u ...,c s ] = r [r C| ,...,r c j. (3) 

Remark 1. Note that the monotone access structures Tq are ¥ q -matroid representable structures but not in the usual 
sense ( see for example l^J) since they do not have a distinguished participant or a dealer. In our case all the supports 
in C are considered, not only those that include the first coordinate. Thus, by definition, it is not obvious that they can 
be realized by a vector space construction. We will show in Corollary\l\that this last statement is true. 
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Remark 2. If each C,- is taken to be the Reed-Solomon code 7?S («,■,£,) of parameters [«,-, ki\ and Yq is a threshold 
secret sharing scheme then we recover the class of iterated threshold access structures defined in H^J. 

Proposition 1. 

(r [Ci,...,c,])* = r*[cf,...,cf] 

Proof We know by H, Proposition 2] that (r [r Cl , . . . , T C J)* = T* [r* , . . . , T* ]. But the structure F* is repre- 
sentable by a code (F 9 -representable matroid) which is given by its dual code Cf and the result follows. □ 

Recall that we will denote by P" the minimal qualified subsets in the access structure F and by C m the subsets of 
participants in Yq related to minimal codewords of C. 

Proposition 2. 

(r [Ci,...,c s ]) ffl = r™[c; , ,...,c';] 

Proof. It follows straightforward from the definitions and [!SI Proposition 1]. □ 
3. Main Theorem 

Lemma 1. Let C be a ¥ q -linear code of parameters [n,k]. There exists a ¥ q i-linear code C of parameters [n,k] 
fulfilling the following properties: 

1. r c = r c , 

2. For each minimal support S E {1, . . . , n} of C there exists a m e (C') m with 2" = i m i ^ and supp(m) = S. 

Proof. Let T™ = {A\, A2, ■ ■ ■ ,A a ) be the set of minimal qualified subsets of Vq w.r.t. some ordering. Let H be a parity 
check matrix of C where hj denotes the j-th column with j = 1, . . . , n. 

By definition A\ is related to at least a codeword support of C. Assume that all linear combination based on A\ 
over F 9 satisfy the following expression: 

r, ; -Mi.. = with r j=l *j = . 

Then we proceed as follows: 

1. Choose an arbitrary linear combination of the above set, say A\, . . . ,A l n 6 F g , where 

A) ± if PjeAu £"=i <*)h; = and E"=i^ = 0. 

2. Take a column h , such that A 1 + and define the vector 

J j 

— 1 

71 

in such a way that A\y\ is neither zero nor equal to - £" =I /l' + A\. Note that in the binary case, q — 2, we need 
to enlarge the field to some F2-»i . 

3. Define the matrix H x obtained from H by replacing the vector hj by hj. Observe that H 1 defines the same linear 
dependence relations as H, since linear dependence behaves well when extending scalars to a field extension, 
and therefore both matrices realize the same access structure. 

At the end of this process we have found a linear combination based on A\ over ¥ q n such that 

r; =1 ^hj=0 and X" = i^-*0, 

where hj denotes the j-th column of the matrix H l for j — \,...,n. 

Once we have modified the original code and probably the field of definition for the set A\ we check Ai- If all 
linear combination based on A2 over ¥ q s, satisfy the following expression: 

Ej=i A/hJ = with £"=1 *j = . 
Then we proceed as follows (otherwise we skip this step): 
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1. Choose an arbitrary linear combination of the above set, say A\,...,A\ where 

A 2 * if Pj e A 2 , Z" j= i AjhJ = and £"=i A) = 0. 

2. Take a column h' such that A 2 - + and define the vector 

in such a way that: 

(a) If Pj A\ then A?:y2 is neither zero nor equal to - £" = i /l^ + /t 7 -. 

(b) Otherwise A 2 j2 has to be different from zero and from the values 

-ZZ =l A} + A) and -^ =1 A 2 + A 2 . 

3. Define the matrix H 2 obtained from H 1 by replacing the column h' by h'. Again H 2 realize the same access 
structure as H 1 and H. 

Similarly to the previous process, we obtain a linear combination based on A 2 over F 9 > 2 such that 

Z n j=l A 2 h 2 =0 and 2^ x() . 

Let us now proceed by induction. Suppose that we have a parity check matrix H l whose code (possibly defined in 
an extension of the scalars) realizes the structure F c and for each A, with ;' < I there exists a linear combination of the 
corresponding rows to the supports of A, with the sum of the coefficients different from zero. Suppose that for each 
linear combination based on A/ + i over F ? « ( we have 

r; ;.!/■< -o with x: ; .i;-o. 

Then we choose an arbitrary linear combination of the above set, say A 1 ^ 1 ,. . . , A 1 * 1 , we take a column h^. of H l 
corresponding to the support of A/+i such that A l t l ^0 and we define 

W = — h' 

1 yi+i 1 

where satisfy the following properties: 

• IfP, t {A!,...,A,ithen^ +1 ■ y l+l t {o, - £" = i A ' +l + A 'j +l }- 

• If Pj is only in A, and A/+i with t = 1, . . . , I then 



Af-^^,-^ + Af,-^A\ + A^. 



• If Pj is in Aj-j , . . . , A, t and A/ + i then 

^•y +1 4°'-Z^ 1+ ^-Z^ 1+ 4'---'-Z^ + 4l- 



i=l i=l (=1 
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If Pi is in Ar 



,A/,A; + i then 



The steps above could require to enlarge the field in order to get enough coefficients. We define H l+l to be the 
matrix obtained by replacing by in H l . H l+l defines the same linear dependence relations as H 1 , . . . , H l and H. 
Thus the induction step is proved and we can conclude the proof, i.e. in at most a steps we get a parity check matrix 
H a defining a code with the required properties. □ 

Theorem 1. If Tq admits a vector space construction then also Tq\C\, . . . , C s ] admits a vector space construction. 

Proof. Consider the map (Do : {PiY i=l —> ^ d q that endows To with a vector space construction. For each linear code 
d we consider the code C- that has as parity check matrix the matrix H, constructed in the proof of Lemma Q] 
probably defined in some field extension of ¥ q . We denote by h'. the j-th column of Hi. Now we consider the map 

3> : P — > F d » +2tl "' defined by 



0(P}) = (OoCP,), <)„,,..., 0„, 



(h})' ,0„ 
/+i-th position 



A,), 



where 0/ denotes the zero vector of length I. We shall prove that (D endows F = Tq[C\ , . . . , C' s ] with a vector space 
construction, and therefore also TotCi, . . . ,C S ] has a vector space construction since they define the same access 
structure by LemmaQ] Let A € F be a qualified set and B = {Pi \ P n A e T,} e F . Let A,- = [P l h , . . . , P\ } + 
be the set A n Pi and suppose that it is a minimal qualified set (otherwise it always contains one). Thus the vectors 



, h' } are linearly dependent and all subsets of them of cardinality 1; - 1 are linearly independent. By Lemma 



Q~|we have that there exist a codeword in C' i given by (0, ... , 0, A'. , 0, . . . , 0, A', , 0, . . . , 0) such that 



4.1 



A'j t + 0. Thus for each Pi e B the following non-zero vector 



/, 



( 



k=\ U=l 

belongs to (O(A)), and since <l>o defines a vector space structure on Fq then 

''/^(Pd) 



and we have that (d, 0, . . . , 0) € (0(A)>. 

On the other hand, let now A c p be a participant set such that ej 6 (0(A)). Then d € (4> (Z?)) and for each P-, e B 
if A, t = A n then e (7r,(<I>(fi))) where 7r,- is the restriction of 0(B) to the interval [ d + 1 + n j< d + Ylj=\ n i ■ 
Therefore there exists a codeword in C' i with support corresponding to the participants of the set A, = A n Pi for each 
Pi £ B. □ 

Corollary 1. Tq admits a vector space construction. 

Proof. Note that Fc = (1, 1)[C] so we can apply the above theorem. □ 



Acknowledgments 

The first two authors are partially supported by Spanish MCINN under project MTM2007-64704. First author research 
is also supported by a FPU grant AP2008-01598 by Spanish MEC. Second author is also supported by Spanish 
MCINN under project MTM2010-21580-C02-02. 



5 



References 



[1] E. R. Berlekamp, R. J. McEliece, and Henk C. A. van Tilborg. On the inherent intractability of certain coding problems. IEEE Trans. 

Information Theory, IT-24(3):384-386, 1978. 
[2] G. R. Blakley. Safeguarding cryptographic keys. In AFIPS 1979 National Computer Conference, pages 313-317, 1979. 
[3] E. F. Brickell. Some ideal secret sharing schemes. J. Combin. Math. Combin. Comput., 6:105-113, 1989. 

[4] Ernest F. Brickell and Daniel M. Davenport. On the classification of ideal secret sharing schemes (extended abstract). In Advances in 
cryptology — CRYPTO '89 (Santa Barbara, CA, 1989), volume 435 of Lecture Notes in Comput. Sci., pages 278-285. Springer, New York, 
1990. 

[5] J. Brack and M. Naor. The hardness of decoding linear codes with preprocessing. IEEE Trans. Inform. Theory, 36(2):381-385, 1990. 
[6] T. Chunming, G. Shuhong, and Z. Chengli. The Optimal Linear Secret Sharing Scheme for Any Given Access Structure. 201 1. 
[7] M. Ito, A. Saito, and T. Nishizeki. Secret sharing scheme realizing general access structure. Electron. Comm. Japan Part 111 Fund. Electron. 
Sci., 72(9):56-63, 1989. 

[8] I. Marquez-Corbella and E. Martinez-More Algebraic structure of the minimal support codewords set of some linear codes. Adv. Math. 
Commun., 5-2:233-244, 2011. 

[9] E. Martinez-Mora, J. Mozo-Fernandez, and C. Munuera. Compounding secret sharing schemes. Australas. J. Combin., 30:277-290, 2004. 
[10] J. L. Massey. Minimal codewords and secret sharing. In Proceedings of the 6th Joint Swedish-Russian International Workshop on Information 
Theory, pages 276-279, 1993. 

[11] Carles Padro and German Saez. Secret sharing schemes with bipartite access structure. In Advances in cryptology — EUROCRYPT '98 

(Espoo), volume 1403 of Lecture Notes in Comput. Sci., pages 500-511. Springer, Berlin, 1998. 
[12] A. Renvall, C. Ding, J. Pieprzyk, and J. Seberry. Information Security and Privacy, volume 1 172, pages 67-78. Springer Berlin / Heidelberg, 

1996. 

[13] Adi Shamir. How to share a secret. Communications of the ACM, 22(1 1):612— 613, 1979. 

[14] G. J. Simmons. An introduction to shared secret and/or shared control schemes and their application. In Contemporary cryptology, pages 
441-497. IEEE, New York, 1992. 



6 



